Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Haiti Earthquake

Threat Modeling is the Exciting, Sexy Part of Risk Assessment

As a risk assessment professional, when I get into a risk discussion, most security people want to talk about THREAT!  Threat is the most sexy and exciting part of doing a risk assessment.

Threats are exciting all by themselves.  Think about all the threats you can name:

All the natural disasters like Earthquakes, Tornadoes, Storms, Hurricanes, Tsunamis, Lightning, Floods

Crimes like Homicide, Assault, Rape, Burglary, Theft, Kidnapping, Blackmail, Extortion

Terrorism like Sabotage, Explosions, Mail Bombs, Suicide Bombs

All the IT Threats like Malicous Code, Disclosure, Data Breaches, Theft of Data

And about 50 more including Chem/Bio incidents, Magnetic waves, High Energy Bursts, Microbursts, Contamination and Reputation Damage.

Each of these threats could theoretically occur at any time, but we try to establish a pattern of how often they have occurred in the past, in this location, in this county, in this country, in the company, etc.   So NASA, for example, gets thousands of hacker attacks, but another company, like the local Salvation Army, gets 1 every 10 years.

Same model for natural disasters, although you might have to factor in climate change, it’s easy to get the threat incidents for hurricanes in Florida, snow storms in Cleveland, earthquakes in northern California, etc.

We also like to examine industry specific data to see if some threats are higher in a certain industry, like the high incidence of workplace violence incidents in hospitals and high risk retail establishments (like Wawa or 7-11).

Another factor we use in calculating threat likelihood is how the threat could actually affect different types of assets…. for example, would an earthquake damage a car?  Probably not. Would it cause damage to an old historical building – probably (unless it had been retrofitted).  Could it cause loss of life, or injuries (think Haiti).

So I use a multidimensional model that takes the threats list (I have a standard list of 75 threats that I use), and map it to each potential loss, based on the ‘asset’ that might be affected.

The more data you get, the better your model will be, and the more value it will have as a decision support tool!

 



How to Correctly Analyze 100-Year Threats for Risk Assessments

Starting a risk assessment in northern Virginia and going through the threat list they say, “You can take earthquakes out – we don’t have earthquakes here”!

Hey, Haiti didn’t have earthquakes!

Vermont didn’t have major floods!

Connecticut doesn’t have tornados!

Like Murphy’s Law, as soon as you discount a threat, and think, “it will never happen here”, it happens!   The earthquake in the mid-Atlantic in August was a wake-up call for those who that they would never have earthquake damage.

One of the reasons that security risk assessment is so highly valued as an analytical took, and why it’s required by so many governments is because it DOES take into account the 100-year flood, the 75-year drought, etc.

Natural disasters can be so overwhelming, and catastrophic, that they must be considered in any proper risk assessment.  This is why some areas are not suitable for building housing tracts, because they are in a 100-year flood plan.

Because human memories are short, just because YOU haven’t experience a flood
along a meandering creek, doesn’t mean it will never happen.  

Always check the long-term probabilities when you start a risk assessment and make the numbers work for you!



Risk Assessment: Too much emphasis on PROCESS hampers rescue efforts in Haiti

From the night that CNN showed Dr. Sanjay Gupta staying up all night to attend to patients in a field hospital, because the UN thought it was unsafe for their doctors and medical staff, you can’t help but feel like the security threat there has been used to avoid taking any chances — while the Haitian people are having to absorb all the risk!

Even Anderson Cooper said, from his position in the ground, that the security fears were overblown and other doctors have corroborated this! So why is the UN using security as a cover….

The UN is an organization that often favors PROCESS over ACTION. I can understand that they are used to having convoys attacked in dangerous areas like Cambodia and Ethiopia — but this is Haiti…. we know Haiti… no rocket launchers in Haiti — no political goals on display in Haiti. Just poor, starving, sick people with no homes, no resources, no medical facilities, no food, and no water.

As a risk person, I just wonder if they actually did a quick 1 hour risk assessment on this disaster which would have pointed out that the risk of slow, un-action is much worse in this case – than the risk of a security incident.



Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

CNN seems like it’s grabbed the lead on Haiti Earthquake coverage. They crossed that line last night when Sanjay Gupta, the CNN doctor, spent all night in a field hospital caring for patients that the UN left alone in a tent.

So there are thousands of images of the aftermath of the earth. Thousands of sad stories of loss and tragedy and all of it magnified by the grinding poverty of the country and it’s lack of government control and working infrastructure (even before the earthquake).

Obviously – it is impossible to prevent an earthquake, so there are three areas that could be explored to make earthquake disasters less horrific.

1. Advance notice of seismic activity in an area. Hurricane can be seen forming and building and can be graded, and prep work can began days before the disaster strikes
(yes – like Katrina). But perhaps it is also possible to have sensors that mark seismic activity. At least enough to get a glimmer of warning. My research says that there has been a project since 2007 to install sensors in the ocean floor to track tremors. After the Indonesian tsunami, the urgency to install these sensors increased dramatically. And because Haiti was on a fault line — I can’t help but wonder if someone somewhere in a research lab, may have noticed a few unusual tremors because this actually occurred.

2. Creating a System of International Building Codes. Obviously the death, injuries and damage occur from falling buildings and building materials (in the Haitian earthquake – cinder blocks). The UN could create standards for buildings with different standards based on the type of earthquake zone. For example, there could be a simple 1-5 scale and places that often have earthquakes (California, Japan, Pakistan) would have stricter standards than a place with almost no earthquakes, i.e. Florida and India.

While every building in a quake-prone country might not comply with the guidelines, the big multi-nationals would – the hotel chains, the government buildings (perhaps), and the better residential areas — and who lives in the better residential areas? The doctors, the medical professionals, the government officers, exactly the group of people you need in an emergency.

3. Creating Standards for Better Emergency Planning and Disaster Recovery.
The big increase in business continuity plans and disaster recovery plans (see
www.recoveryplanner.com) is amazingly limited to INFORMATION recovery and working to limit or prevent interruptions in information systems. The same kind of planning does not exist for disasters in most underdeveloped countries. Again, this is an area where the U.S. agency, FEMA could play a leading role; or the UN should make it a priority to do some kind of minimal planning standards for these devastating emergencies with massive injuries and loss of life.

The National Fire Protection Associations (www.nfpa.org) has published an Emergency Preparedness standard called NFPA 1600 – the Standard on Disaster/Emergency
Management and Business Continuity Programs and it’s a good example of the basics of Emergency Preparedness.

Individual countries would do their citizens a service by acquainting them with how to prepare families to survive in emergencies, whether they are triggered by power outages, severe cold, hurricanes or earthquakes!

Emergency Preparedness’ critical role in emergencies is something you can watch unfolding this week, as the relief efforts get stalled by lack of clear roads, problems at the airports, time involves in sea travel, etc. There has to be a better way – one that can be refined and used in future disasters.

In case you think you will never see an earthquake – here are the statistics on how many earthquakes occur in the world each year. These are averages but you can see that there is, on average, one giant earthquake, and seventeen large earthquakes, 134 strong earthquakes and many more light and moderate earthquakes.

TYPE STRENGTH AVERAGE PER YEAR
Great 8 or higher 11
Major 7–7.9 172
Strong 6–6.9 1342
Moderate 5–5.9 1,3192
Light 4–4.9 c. 13,000

The Boy Scouts were right when they adopted “BE PREPARED” as their motto.

These are three areas:

1. Better Ways to Predict Earthquakes (by even a day),
2. Minimum Building Codes based on local geography, and
3. Uniform Emergency Preparedness standards around the world.

These could be explored to prevent or at least mitigate the devastation we have seen in Haiti this week.




top